1# SPDX-License-Identifier: GPL-2.0-only 2menuconfig MODULES 3 bool "Enable loadable module support" 4 modules 5 help 6 Kernel modules are small pieces of compiled code which can 7 be inserted in the running kernel, rather than being 8 permanently built into the kernel. You use the "modprobe" 9 tool to add (and sometimes remove) them. If you say Y here, 10 many parts of the kernel can be built as modules (by 11 answering M instead of Y where indicated): this is most 12 useful for infrequently used options which are not required 13 for booting. For more information, see the man pages for 14 modprobe, lsmod, modinfo, insmod and rmmod. 15 16 If you say Y here, you will need to run "make 17 modules_install" to put the modules under /lib/modules/ 18 where modprobe can find them (you may need to be root to do 19 this). 20 21 If unsure, say Y. 22 23if MODULES 24 25config MODULE_FORCE_LOAD 26 bool "Forced module loading" 27 default n 28 help 29 Allow loading of modules without version information (ie. modprobe 30 --force). Forced module loading sets the 'F' (forced) taint flag and 31 is usually a really bad idea. 32 33config MODULE_UNLOAD 34 bool "Module unloading" 35 help 36 Without this option you will not be able to unload any 37 modules (note that some modules may not be unloadable 38 anyway), which makes your kernel smaller, faster 39 and simpler. If unsure, say Y. 40 41config MODULE_FORCE_UNLOAD 42 bool "Forced module unloading" 43 depends on MODULE_UNLOAD 44 help 45 This option allows you to force a module to unload, even if the 46 kernel believes it is unsafe: the kernel will remove the module 47 without waiting for anyone to stop using it (using the -f option to 48 rmmod). This is mainly for kernel developers and desperate users. 49 If unsure, say N. 50 51config MODULE_UNLOAD_TAINT_TRACKING 52 bool "Tainted module unload tracking" 53 depends on MODULE_UNLOAD 54 default n 55 help 56 This option allows you to maintain a record of each unloaded 57 module that tainted the kernel. In addition to displaying a 58 list of linked (or loaded) modules e.g. on detection of a bad 59 page (see bad_page()), the aforementioned details are also 60 shown. If unsure, say N. 61 62config MODVERSIONS 63 bool "Module versioning support" 64 help 65 Usually, you have to use modules compiled with your kernel. 66 Saying Y here makes it sometimes possible to use modules 67 compiled for different kernels, by adding enough information 68 to the modules to (hopefully) spot any changes which would 69 make them incompatible with the kernel you are running. If 70 unsure, say N. 71 72config ASM_MODVERSIONS 73 bool 74 default HAVE_ASM_MODVERSIONS && MODVERSIONS 75 help 76 This enables module versioning for exported symbols also from 77 assembly. This can be enabled only when the target architecture 78 supports it. 79 80config MODULE_SRCVERSION_ALL 81 bool "Source checksum for all modules" 82 help 83 Modules which contain a MODULE_VERSION get an extra "srcversion" 84 field inserted into their modinfo section, which contains a 85 sum of the source files which made it. This helps maintainers 86 see exactly which source was used to build a module (since 87 others sometimes change the module source without updating 88 the version). With this option, such a "srcversion" field 89 will be created for all modules. If unsure, say N. 90 91config MODULE_SCMVERSION 92 bool "SCM version for modules" 93 depends on LOCALVERSION_AUTO 94 help 95 This enables the module attribute "scmversion" which can be used 96 by developers to identify the SCM version of a given module, e.g. 97 git sha1 or hg sha1. The SCM version can be queried by modinfo or 98 via the sysfs node: /sys/modules/MODULENAME/scmversion. This is 99 useful when the kernel or kernel modules are updated separately 100 since that causes the vermagic of the kernel and the module to 101 differ. 102 103 If unsure, say N. 104 105config MODULE_SIG 106 bool "Module signature verification" 107 select MODULE_SIG_FORMAT 108 help 109 Check modules for valid signatures upon load: the signature 110 is simply appended to the module. For more information see 111 <file:Documentation/admin-guide/module-signing.rst>. 112 113 Note that this option adds the OpenSSL development packages as a 114 kernel build dependency so that the signing tool can use its crypto 115 library. 116 117 You should enable this option if you wish to use either 118 CONFIG_SECURITY_LOCKDOWN_LSM or lockdown functionality imposed via 119 another LSM - otherwise unsigned modules will be loadable regardless 120 of the lockdown policy. 121 122 !!!WARNING!!! If you enable this option, you MUST make sure that the 123 module DOES NOT get stripped after being signed. This includes the 124 debuginfo strip done by some packagers (such as rpmbuild) and 125 inclusion into an initramfs that wants the module size reduced. 126 127config MODULE_SIG_FORCE 128 bool "Require modules to be validly signed" 129 depends on MODULE_SIG 130 help 131 Reject unsigned modules or signed modules for which we don't have a 132 key. Without this, such modules will simply taint the kernel. 133 134config MODULE_SIG_PROTECT 135 bool "Android GKI module protection" 136 depends on MODULE_SIG && !MODULE_SIG_FORCE 137 help 138 Enables Android GKI symbol and export protection support. 139 140 This modifies the behavior of the MODULE_SIG_FORCE as follows: 141 - Allows Android GKI Modules signed using MODULE_SIG_ALL during build. 142 - Allows other modules to load if they don't violate the access to 143 Android GKI protected symbols and do not export the symbols already 144 exported by the Android GKI modules. Loading will fail and return 145 -EACCES (Permission denied) if symbol access conditions are not met. 146 147config MODULE_SIG_ALL 148 bool "Automatically sign all modules" 149 default y 150 depends on MODULE_SIG || IMA_APPRAISE_MODSIG 151 help 152 Sign all modules during make modules_install. Without this option, 153 modules must be signed manually, using the scripts/sign-file tool. 154 155comment "Do not forget to sign required modules with scripts/sign-file" 156 depends on MODULE_SIG_FORCE && !MODULE_SIG_ALL 157 158choice 159 prompt "Which hash algorithm should modules be signed with?" 160 depends on MODULE_SIG || IMA_APPRAISE_MODSIG 161 help 162 This determines which sort of hashing algorithm will be used during 163 signature generation. This algorithm _must_ be built into the kernel 164 directly so that signature verification can take place. It is not 165 possible to load a signed module containing the algorithm to check 166 the signature on that module. 167 168config MODULE_SIG_SHA1 169 bool "Sign modules with SHA-1" 170 select CRYPTO_SHA1 171 172config MODULE_SIG_SHA224 173 bool "Sign modules with SHA-224" 174 select CRYPTO_SHA256 175 176config MODULE_SIG_SHA256 177 bool "Sign modules with SHA-256" 178 select CRYPTO_SHA256 179 180config MODULE_SIG_SHA384 181 bool "Sign modules with SHA-384" 182 select CRYPTO_SHA512 183 184config MODULE_SIG_SHA512 185 bool "Sign modules with SHA-512" 186 select CRYPTO_SHA512 187 188endchoice 189 190config MODULE_SIG_HASH 191 string 192 depends on MODULE_SIG || IMA_APPRAISE_MODSIG 193 default "sha1" if MODULE_SIG_SHA1 194 default "sha224" if MODULE_SIG_SHA224 195 default "sha256" if MODULE_SIG_SHA256 196 default "sha384" if MODULE_SIG_SHA384 197 default "sha512" if MODULE_SIG_SHA512 198 199choice 200 prompt "Module compression mode" 201 help 202 This option allows you to choose the algorithm which will be used to 203 compress modules when 'make modules_install' is run. (or, you can 204 choose to not compress modules at all.) 205 206 External modules will also be compressed in the same way during the 207 installation. 208 209 For modules inside an initrd or initramfs, it's more efficient to 210 compress the whole initrd or initramfs instead. 211 212 This is fully compatible with signed modules. 213 214 Please note that the tool used to load modules needs to support the 215 corresponding algorithm. module-init-tools MAY support gzip, and kmod 216 MAY support gzip, xz and zstd. 217 218 Your build system needs to provide the appropriate compression tool 219 to compress the modules. 220 221 If in doubt, select 'None'. 222 223config MODULE_COMPRESS_NONE 224 bool "None" 225 help 226 Do not compress modules. The installed modules are suffixed 227 with .ko. 228 229config MODULE_COMPRESS_GZIP 230 bool "GZIP" 231 help 232 Compress modules with GZIP. The installed modules are suffixed 233 with .ko.gz. 234 235config MODULE_COMPRESS_XZ 236 bool "XZ" 237 help 238 Compress modules with XZ. The installed modules are suffixed 239 with .ko.xz. 240 241config MODULE_COMPRESS_ZSTD 242 bool "ZSTD" 243 help 244 Compress modules with ZSTD. The installed modules are suffixed 245 with .ko.zst. 246 247endchoice 248 249config MODULE_DECOMPRESS 250 bool "Support in-kernel module decompression" 251 depends on MODULE_COMPRESS_GZIP || MODULE_COMPRESS_XZ 252 select ZLIB_INFLATE if MODULE_COMPRESS_GZIP 253 select XZ_DEC if MODULE_COMPRESS_XZ 254 help 255 256 Support for decompressing kernel modules by the kernel itself 257 instead of relying on userspace to perform this task. Useful when 258 load pinning security policy is enabled. 259 260 If unsure, say N. 261 262config MODULE_ALLOW_MISSING_NAMESPACE_IMPORTS 263 bool "Allow loading of modules with missing namespace imports" 264 help 265 Symbols exported with EXPORT_SYMBOL_NS*() are considered exported in 266 a namespace. A module that makes use of a symbol exported with such a 267 namespace is required to import the namespace via MODULE_IMPORT_NS(). 268 There is no technical reason to enforce correct namespace imports, 269 but it creates consistency between symbols defining namespaces and 270 users importing namespaces they make use of. This option relaxes this 271 requirement and lifts the enforcement when loading a module. 272 273 If unsure, say N. 274 275config MODPROBE_PATH 276 string "Path to modprobe binary" 277 default "/sbin/modprobe" 278 help 279 When kernel code requests a module, it does so by calling 280 the "modprobe" userspace utility. This option allows you to 281 set the path where that binary is found. This can be changed 282 at runtime via the sysctl file 283 /proc/sys/kernel/modprobe. Setting this to the empty string 284 removes the kernel's ability to request modules (but 285 userspace can still load modules explicitly). 286 287config TRIM_UNUSED_KSYMS 288 bool "Trim unused exported kernel symbols" if EXPERT 289 depends on !COMPILE_TEST 290 help 291 The kernel and some modules make many symbols available for 292 other modules to use via EXPORT_SYMBOL() and variants. Depending 293 on the set of modules being selected in your kernel configuration, 294 many of those exported symbols might never be used. 295 296 This option allows for unused exported symbols to be dropped from 297 the build. In turn, this provides the compiler more opportunities 298 (especially when using LTO) for optimizing the code and reducing 299 binary size. This might have some security advantages as well. 300 301 If unsure, or if you need to build out-of-tree modules, say N. 302 303config UNUSED_KSYMS_WHITELIST 304 string "Whitelist of symbols to keep in ksymtab" 305 depends on TRIM_UNUSED_KSYMS 306 help 307 By default, all unused exported symbols will be un-exported from the 308 build when TRIM_UNUSED_KSYMS is selected. 309 310 UNUSED_KSYMS_WHITELIST allows to whitelist symbols that must be kept 311 exported at all times, even in absence of in-tree users. The value to 312 set here is the path to a text file containing the list of symbols, 313 one per line. The path can be absolute, or relative to the kernel 314 source tree. 315 316config MODULES_TREE_LOOKUP 317 def_bool y 318 depends on PERF_EVENTS || TRACING || CFI_CLANG 319 320endif # MODULES 321